Digital Identification Enrollment

ABSTRACT

In some implementations, a computer-implemented method and system for enrolling customers into a digital identification program may include obtaining, from a digital identification database, customer information that describes a customer, providing to the customer device an access code for activation, receiving a request from the customer device for the digital identification, where the request includes the access code and customer information that describes the customer, providing a request for secure information that describes the customer from a secure information database, receiving the secure information that describes the customer stored in the secure information database, generating the digital identification for the customer based on the secure information and the customer information, and providing the digital identification to the customer device.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.16/042,842, filed Jul. 23, 2018, now U.S. Pat. No. 10,678,939, which isa continuation of U.S. patent application Ser. No. 14/964,215, filedDec. 9, 2015, now U.S. Pat. No. 10,032,042, which claims priority toU.S. Provisional Application Ser. No. 62/090,348, filed on Dec. 10,2014.

FIELD

The present specification is related generally to digitalidentifications.

BACKGROUND

Physical identification cards such as driver licenses are commonly usedfor verifying the identity of an individual, providing access torestricted areas, or authorizing an individual to purchaseage-restricted content.

SUMMARY

Physical identification cards are provided by issuing authorities suchas government agencies or companies to customers during an issuanceprocess. Such physical identification cards include customer informationthat is used to identify the identity of the customer, and in someinstances, provide access or privileges to the customer. However,because security features included in physical identification cards areoften preset during the issuance process, customers are oftensusceptible to risk of fraud and counterfeiting when the preset securityfeatures are compromised. Additionally, if a customer's informationchanges, e.g., residence address, the customer may need to wait for anew physical identification card to be printed and mailed to thecustomer.

Accordingly, one innovative aspect of the subject matter described inthis specification may include a computer-implemented method for anenrollment process for provisioning digital identifications forcustomers. For instance, a digital identification may be provisioned toenable customers to carry and present digital forms of a physicalidentification on a portable electronic device. The digitalidentification may additionally be configured to an applicationinfrastructure that includes a digital identification server that storescustomer information, an issuing authority that stores secure customerinformation included in a physical identification card, and a customerdevice that displays and provides access to the digital identification.In some instances, the digital identification may include multiplesecurity and anti-counterfeiting features to protect the customerinformation included in the digital identification against fraud andidentity theft.

Implementations may include one or more of the following features. Forexample, computer-implemented methods may include provisioning a digitalidentification on a customer device. The computer-implemented methodsmay include obtaining, from a digital identification database, customerinformation that describes a customer, providing to the customer devicean access code for activation, receiving a request from the customerdevice for the digital identification that includes the access code andcustomer information that describing the customer, determining that theaccess code in the received request matches the access code foractivation provided to the customer device and that the customerinformation from the customer device matches the customer informationthat describes the customer obtained from the digital identificationdatabase, in response to determining that the access code in thereceived request matches the access code for activation provided to thecustomer device and that the customer information entered by thecustomer matches the customer information that describes the customerobtained from the digital identification database, providing a requestfor secure information that describes the customer from a secureinformation database, receiving the secure information that describesthe customer stored in the secure information database, generating thedigital identification for the customer based on the secure informationand the customer information, and providing the digital identificationto the customer device.

Other versions include corresponding systems, and computer programs,configured to perform the actions of the methods encoded on computerstorage devices.

One or more implementations may include the following optional features.For example, in some implementations, the secure information thatdescribes the customer stored in the secure information databaseincludes demographic information associated with the customer and aportrait image of the customer.

In some implementations, providing the digital identification to thecustomer device includes providing an access credential associated withthe digital identification.

In some implementations, providing to the customer device the accesscode for activation includes providing a deeplink that directs thecustomer to install a digital identification application on the customerdevice.

In some implementations, receiving the request from the customer devicefor the digital identification includes receiving one or more images ofa physical identification from the customer device, and identifying,based on using an optical character recognition technique on the one ormore images of the physical identification, customer information thatdescribes the customer.

In some implementations, generating the digital identification for thecustomer includes determining that the identified customer informationthat describes the customer from the one or more images of the physicalidentification matches the secure information that describes thecustomer stored in the secure information databases, and in response,generating the digital identification for the customer.

In some implementations, the computer-implemented method may include:deciding to provide a customer device associated with the customer adigital identification for the customer, where providing to the customerdevice the access code for activation is in response to deciding toprovide the customer device associated with the customer the digitalidentification for the customer.

The details of one or more implementations are set forth in theaccompanying drawings and the description below. Other potentialfeatures and advantages will become apparent from the description, thedrawings, and the claims.

Other implementations of these aspects include corresponding systems,apparatus and computer programs, configured to perform the actions ofthe methods, encoded on computer storage devices.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A illustrates a block diagram of an example system for providingdigital identifications to a customer device.

FIG. 1B illustrates example security protocols of a digitalidentification.

FIGS. 2A-2C illustrates swim lane sequence diagrams of example digitalidentification enrollment processes.

FIG. 3 illustrates a flowchart of an example process of digitalidentification enrollment and provisioning.

In the drawings, like reference numbers represent corresponding partsthroughout.

DETAILED DESCRIPTION

In general, this specification describes methods and systems forprovisioning digital identifications for customers. For instance, adigital identification may be complementary to a physical identificationcard and provided on a portable electronic device, enabling customers tocarry and display digital forms of physical identification cards on theportable electronic device. In some instances, the digitalidentification may include multiple security protocols to protectcustomer information against fraud and counterfeiting.

A “customer” may refer to a user or individual. For example, a customermay be an individual with a physical identification card that may be adriver's license issued by a department of motor vehicles of a territoryor a municipality. In other instances, the identification card may beother types of identifications such as a social security card, apassport, a birth certificate, or other government or company-issuedidentification cards.

A customer may be provided with a digital identification by enrollinginto a digital identification program offered by a digitalidentification administrator. In some instances, the digitalidentification administrator may also be the issuing authority. In otherinstances, the digital identification administrator may be anotherorganization that is authorized by the issuing authority to manage theissuance and maintenance of digital identifications.

A customer may opt to enroll into the digital identification programusing various methods such as, for example, an online enrollmentprocess, a form submission, an automated provisioning by an issuingauthority, or through an oral agreement with an authorizedrepresentative. The digital identification server may then create acustomer entry including customer information in a digitalidentification database. For instance, the customer information mayinclude one or more of an email address, a mobile number, anidentification number, a customer photograph, and other types ofdemographic information (e.g., home address) associated with thecustomer. The digital identification database may also indicate to thedigital identification administrator that an entry for the customer hasbeen successfully created once the entry for the customer has beencreated.

The enrollment process for the digital identification program mayinclude the use of various methods to receive customer information, suchas, for example, the use of email or mobile communication, the use of asecret provided directly to the customer such as a personalidentification number (PIN), and/or the use of customer biometricparameters to match to those on file with the issuing authority.

FIG. 1A illustrates exemplary architecture for a system 100 forprovisioning a digital identification 132 for a customer. In general,the system 100 may be used for various processes associated with adigital identification 132. For instance, the system 100 may be used toinitially enroll customers into a digital identification program, andprovision a digital identification 132 to enrolled customers.

Briefly, the system 100 may include a digital identification server 110,an issuing authority server 120, and a customer device 130 connectedover a network 105. The digital identification server 110 may also beconfigured to exchange communications with a digital identificationdatabase 112. In addition, the customer device 130 may display a digitalidentification 132 on a user interface presented to a user (e.g., acustomer or any other authorized user) on the customer device 130.Although the digital identification 132 is depicted as a digital driverlicense in FIG. 1A, the digital identification 132 may alternatively bea digital form of any physical identification card issued to a customerfrom various types of identification issuing authorities (e.g., agovernment agency or a company). The digital identification 132 may alsoinclude a feature of being usable as an online account forauthentication to web sites. In some implementations, the button shownon the user interface of the customer device 130 labeled “HOME” mayinstead be a button labeled “LOGIN” that enables a user to select thebutton to choose from one or more websites to log into an account of theuser using the digital identification 132. For example, the digitalidentification 132 may receive a selection of login, present a list ofwebsites, receive a selection of a particular website, and in response,provide the website information from the digital identification 132 thatauthenticates the user as the user associated with the account on thewebsite.

The system 100 may be used to periodically assign and update a securitystatus associated with the digital identification 132 of each enrolledcustomer. The security status associated with the digital identification132 may be a set of configuration settings that control the digitalidentification 132. In some implementations, the security status mayspecify different sets of customer credential data to be used underdifferent conditions, and the customer device 130 may update thesecurity status based on information from the digital identificationserver 110.

For example, a security status received by a customer device 130 fromthe digital identification server 110 may specify that when the digitalidentification 132 is displayed on the customer device 130 on a Monday,the digital identification 132 include a first credential data, and whenthe digital identification 132 is displayed on the customer device 130on a Tuesday, the digital identification 132 include a different, secondcredential data. Credential data may refer to information that is usedto verify validity of customer information. For example, credential datamay include a particular image, a particular verification phrase, or achecksum of customer information calculated with a particular checksumalgorithm.

In another example, the security status may be used by the digitalidentification server 110 to indicate on the customer device 130 whetherthe digital identification 132 is “valid” or “invalid” based on averification procedure performed by the digital identification server110. In other examples, the security status may variably include a setof customer credential data associated with the digital identification132 over a particular period of time. The customer credential data mayrefer to customer-specific information used to verify the authenticityof the digital identification 132 and/or prevent fraudulent orunauthorized access of the digital identification 132. For instance, asdescribed more particularly in FIG. 1B, the customer credential data maybe used with various security level protocols of the digitalidentification 132 where each level uses a different set of credentialdata and different detection techniques to identify the credential datafor use in the verification of the digital identification 132.

In yet another example, the security status may be used by the digitalidentification server 110 to generate different representations of thedigital identification 132 on the customer device 130 based on the GPSlocation of the customer device 130. In still another example, thesecurity status may be used to adjust the access to specific informationin the digital identification 132 based on the particular application ofuse (e.g., identity verification, age-restricted product access, etc.).

In addition, the system 100 may use a set of dynamic security protocolsto protect customer information included in the digital identifications132 of enrolled customers, and verify the authenticity of the digitalidentification 132. As described more particularly with respect to FIG.1B, the set of dynamic security protocols may describe various securityprotocols implemented by the digital identification server 110 usingdifferent types of variable customer credential data, and detectiontechniques to perform a verification operation of the variable customercredential data. For instance, the set of dynamic security protocols maybe associated with “levels” that represent different protocolcomplexities, and different detection techniques of the variablecustomer credential data. For example, level one security protocols mayrepresent a protocol for verification that uses simpler credential datathat may be more easily detectable by the human eye, whereas level threesecurity protocols may represent a protocol for verification that usescomplex credential data that may be encrypted and require the use of adetector device and a distributed private decryption key.

In more detail, the network 105 may be configured to enable electroniccommunications between the digital identification server 110, theissuing authority server 120, and the customer device 130. For instance,the network 105 may include Local Area Networks (LANs), wide areanetworks (WANs), Wi-Fi, or analog or digital wired and wirelessnetworks. The network 105 may include multiple networks or subnetworks,each of which may include, for example, a wired or wireless datapathway. The network 105 may also include a circuit-switched network, apacket-switched data network, or any network capable of carryingelectronic communications (e.g., data or voice communications). Forexample, the network 105 may include networks based on the InternetProtocol (IP), or other comparable technologies.

The digital identification server 110 may be a remote server that ismonitored and operated by an organization or institution that isauthorized by an identification issuing authority to provide the digitalidentification 132 to a customer. In some instances, the organization orinstitution operating the digital identification server 110 may be anorganization that is designated by the identification issuing authorityto access identification information for a plurality of customers whohave been issued a physical identification card. In other instances, theorganization or institution operating the digital identification server110 may be the identification issuing authority (e.g., a governmentinstitution) that issues a plurality of customers with a physicalidentification card.

The digital identification server 110 may coordinate and administer thebackend processes that are involved in provisioning a digitalidentification to the plurality of customers that have been issued aphysical identification from the identification issuing authority. Forinstance, the digital identification server 110 may initiate processesto enroll customers with the digital identification 132, and operatesecurity protocols to detect potential fraudulent use or privacybreaches associated with the digital identifications. In some instances,the processes related to the digital identification 132, as describedabove, may be coordinated with the issuing authority server 120, toensure that secure customer information that includes personallyidentifiable information are not exposed during the provisioning of thedigital identification 132. In still other instances, the customer mayinitiate on the customer device 130 processes for the provisioning of adigital identification by providing customer information to the digitalidentification server 110 that is compared with customer information ofrecord on the issuing authority server 120 to provision the digitalidentification.

As described, secure customer information may refer to customerinformation within the digital identification 132 that may includepersonally identifiable information associated with the customer suchas, for example, social security numbers, driver license numbers, placeof residence, and/or other demographic information that is associatedwith other types of information that the customer considers private.Access to the secure customer information within the digitalidentification 132 may be restricted by the digital identificationserver 110 by the using particular authorization procedures (e.g.,requiring of customer access codes) to access the secure information onthe client device 130.

The digital identification server 110 may exchange communications withthe digital identification database 112, which includes customerinformation for enrolled customers and/or other configuration detailsrelated to the digital identification program. For instance, the digitalidentification database 112 may include a customer entry associated witha customer that includes account information associated with enrolledcustomers, and any type of customer information that may be provided bythe customer during a digital identification enrollment process. Thedigital identification database 112 may also include customerinformation or cryptographic representations of customer informationused for verification of personally identifiable information associatedwith a customer.

In some implementations, the digital identification database 112 mayinclude customer entries for both customers that are enrolled in thedigital identification program and potential customers that the digitalidentification server 110 has identified as customers that are likely toenroll in the digital identification program. For example, the digitalidentification database 112 may include a field that indicates whether acustomer entry is associated with an enrolled customer or a potentialcustomer. In such implementations, the digital identification database112 may be accessed by the digital identification server 110 to retrievecustomer information for the digital identification 132 associated withan enrolled customer, and customer information for a candidate customerin order to send an enrollment email that provides an enrollment code tothe candidate customer.

In some implementations, the customer entry for enrolled customers maybe automatically created by the digital identification server 110 withinthe digital identification database 112. In such implementations, thecustomer may submit an online enrollment form including a set of userfields for providing customer information. In response, the digitalidentification server 110 may initiate a computer-implemented procedurethat automatically generates a customer entry for the customer in thedigital identification database 112 and inserts the values submitted forthe set of user fields as customer information that is included in thecustomer entry. These values may then be verified at the issuingauthority server prior to provisioning of the digital identification132.

In addition, the digital identification database 112 may includesecurity status information associated with the digital identification132, which is accessed by the digital identification server to assign asecurity status to the digital identification 132 at particular timeperiods. For instance, the security status information may specify a setof customer credential data to be included in the digital identification132, and a timestamp associated when each customer credential dataindicating when the data was generated by the digital identificationserver 110. In one example, the security status information may specifythe values of customer credential data such as access codes orcustomer-selected authentication mechanisms associated for the digitalidentification 132. In another example, the security status informationmay specify configurations for executing the security protocols toverify the digital identification 132.

In yet another example, the security status information may include aset of instruction files that may be transmitted to customer devices toperiodically backup customer data included in digital identifications132 and/or enable separate detector devices to verify the digitalidentification 132 that is displayed on a customer device.

In some implementations, the digital identification server 110 mayadditionally exchange communications with an image server which storesphotographs associated with a customer identification card. In someimplementations, the image server may be operated by a separate entityor organization that operates the digital identification server 110. Forinstance, in such implementations, the image server may be operated bythe identification issuing authority. In other implementations, theimage server may be operated by the authorized issuing authority thatalso operates the digital identification server 110. In suchimplementations, the image server may be a sub-component of the digitalidentification server 110.

The issuing authority server 120 may be a remote server that is operatedby the issuing authority and used to control access to secure customerinformation that is included in physical identification cards issued bythe issuing authority. For instance, the issuing authority server 120may provide access to demographic information of customers, historicalinformation associated with customers (e.g., previous identificationcards issued, number of renewals, etc.), and/or other types of customerinformation using authorization procedures that require validation ofaccess credentials. For example, upon receiving a request for the securecustomer information by the digital identification server 110, theissuing authority server 120 may require an exchange of the accesscredentials to validate an authorized request.

In some implementations, the issuing authority server 120 may containverification workflows that provide for the comparison of demographicand biometric data to customer-submitted attributes such that the dataand images within the customer record remain in possession of theissuing authority yet the verification of data authorizes theprovisioning of the digital identification.

The issuing authority server 120 may be queried by the digitalidentification server 110 for secure customer information during adigital identification operation. For instance, during an enrollmentprocess, after a customer has opted to enroll into a digitalidentification program, the digital identification server 110 may querythe issuing authority server 120 using a customer identifier number toextract secure customer information to be included in a generateddigital identification 132. In another example, during a verificationoperation, the digital identification server 110 may access the issuingauthority server 120 to determine whether a digital identification 132for a customer includes false customer information indicative of afraudulent digital identification 132. In other implementations, theissuing authority server 120 may execute verification workflows thatpermit the accuracy of digital identifications or customer-submittedinformation to be verified without the customer information of recordleaving the issuing authority.

In some implementations, the issuing authority server 120 may beconfigured with additional security protocols compared to the digitalidentity server 110 to protect sensitive customer information associatedwith the customer. For instance, in some instances, the issuingauthority server 120 may be associated with a Federal government agencythat manages nationwide programs that require specialized access (e.g.,a government clearance). In such instances, the digital identificationserver 110 may be configured to access the secure customer informationstored within the issuing authority server 120 under a special securityagreement that ensures that the exchange of the secure customerinformation is controlled and regulated according to Federal privacystatutes. For example, the issuing authority server 120 may trackinformation related to each exchange with the digital identificationserver 110 such that in the event that the digital identification server110 determines that a particular digital identification 130 is invalid,a notification may be received by the issuing authority server 120 totake additional security measures to protect more sensitive customerinformation that may be associated with, but not included in, thedigital identification 132. In this regard, the communication exchangebetween the digital identification server 110 and the issuing authorityserver 120 may be utilized to ensure protection of customer informationbeyond the customer information included in the digital identification132.

The customer device 130 may be a portable electronic computing devicethat displays the digital identification 132 associated with a customer.For instance, the customer device 130 may be, for example, a smartphone, a tablet computer, a laptop computer, a personal digitalassistant device, an electronic pad, a smart watch, a smart glass, orany personal electronic device with a display that is connected to anetwork or connected to another device that is connected to a network.

The customer device 130 exchanges communications with the digitalidentification server 110 to receive and transmit enrollment informationrelated to the digital identification program, customer data that isincluded in the digital identification, credential data used to verifythe authenticity of the digital identification 132, and/or configurationsettings that adjust the display of the digital identification 132 onthe customer device 130. For example, during an online enrollmentprocess, the customer may use the customer device 130 to input customerinformation or derive customer information from a physicalidentification card and enter an assigned access code for the digitalidentification program, which is then transmitted to the digitalidentification server 110 to generate the digital identification 132. Inanother example, during a verification process, when the digitalidentification 132 is enabled on the customer device 130, a data packetincluding credential data may be transmitted to the digitalidentification server 110 to determine whether the digitalidentification 132 is still valid or includes accurate information. Inthis example, if the digital identification server 110 determines thatthe credential data is valid, then the digital identification may bedetermined to be valid. Alternatively, if the digital identificationserver 110 determines that the credential data is not valid, then thedigital identification 132 may be determined to be invalid.

In some implementations, the customer device 130 may include a mobileapplication that exchanges communications to the digital identificationserver 110 as an application server. For example, the mobile applicationmay be associated with a customer account that is stored on the digitalidentification database 112. In addition, the mobile application mayperiodically exchange information related to the security statusassigned by the digital identification server 110 to determine whetherthe digital identification 132 is valid. In some instances, the mobileapplication may additionally or alternatively include various displaysof the digital application such that the mobile application may be usedas a replacement form of identification to a physical identificationcard.

The digital identification 132 may be displayed on a user interface onthe customer device 130. For example, as shown in FIG. 1A, the digitalidentification 132 may include a photograph of a customer, a customeridentifier, categorical data (e.g., identification classification),demographic information (e.g., sex, height, eye color, home address),date of birth, etc.), and issuance information associated with acorresponding physical identification card. In some instances, thedigital identification may be a digital image of the correspondingphysical identification card. In such implementations, the appearance ofthe digital identification may be substantially similar to the physicalidentification and consequently used as a duplicate form ofidentification.

In some implementations, the digital identification 132 may include oneor more dynamic security protocols that utilize customer credential datato verify and validate the digital identification 132. For instance, thedigital identification 132 may include customer credential data thatinclude a set of visual indicators such as, for example, patternoverlays, holograms, kinetograms, or other types of graphicalinformation that are visually detectable by human eyes. In otherinstances, the digital identification 132 may include customercredential data that include a set of indicators that may not bedetectable by human eyes but are optically detectable by a detectordevice that is capable of using light detection and manipulationtechniques to extract information related to the set of indicators.

In addition, customer credential data may be included in the digitalidentification 132 based on an assigned security state to the digitalidentification 132. For example, the security state may designate anexpected customer credential within the digital identification 132, suchthat either an authorized user (e.g., a law enforcement officer, orother individual using the digital identification to verify the identityof the customer) or a detector device may compare a security featuredisplayed on the digital identification to the expected security featureto determine if the digital identification 132 is accurate and verified.

FIG. 1B illustrates exemplary security features of a digitalidentification. In general, the digital identification server 110 andthe customer device 130 may regularly exchange communications to updatethe security status of the digital identification 132. For instance, thedigital identification server 110 may transmit an instruction to updatethe security status with one or more customer credential data to thecustomer device 130 and the customer device 130 may transmit informationrelated to usage of the digital identification 132 to the digitalidentification server 110, which may then update the customer entry inthe digital identification database 112.

The digital identification server 110 may implement different levels ofsecurity features to protect customer information in the digitalidentification 132 against fraud and counterfeiting. For instance, asshown in FIG. 1B, the digital identification server 110 may implement aset of level one features 142, a set of level two features 144, and aset of level three features 146.

In general, the level one security protocols 142 may include visibleindicators that are displayed on the digital identification 132 suchthat the visible indicators are detectable by human eyes. For instance,the visible indicators displayed on the digital identification 132 maybe visually detected by an authorized user 102 (e.g., security personneloutside a restricted area, a law enforcement officer, etc.) and verifiedagainst an expected visual indicator for the digital identification 132.

In some implementations, the level one security protocols 142 mayinclude a three dimensional rotating photo of the customer that rotatesfrom left to right in a rendered composite image. In another example,the level one security protocols 142 may include a floating variableoverlay that includes a hologram simulation layer that is updated basedon the security status designated by the digital identification server110. In another example, the level one security protocols 142 mayinclude a variable virtual backdrop that is cycled randomly based ondisplay instructions from the digital identification server 110. Forinstance, the variable virtual backdrop may include a specifiedbackground pattern that is displayed on the digital identification 132.

In some implementations, the level one security protocols 142 mayinclude variable graphic or font alterations that are adjusted based ona set of time-specific or condition-specific patterns designated by thedigital identification server 110. For instance, the graphical or fontalterations displayed on the digital identification 132 (e.g., textfont, text color, logos or patterns) may be adjusted based on a set ofinstructions transmitted from the digital identification server 110 tothe customer device 130. In some instances, the one or more alterationsmay be implemented randomly from a list of available alterationsincluded in the instructed transmitted from the digital identificationserver 110. In other instances, sets of alterations may be groupedtogether to generate different visual patterns based on a particularverification operation to be performed using the digital identification132.

Level two security protocols 144 may include customer credential data,included within the digital identification 132, that are visuallyimperceptible to humans but detectable with the use of a detector device140. For instance, the detector device 140 may use optical scanningtechniques to detect the customer credential data, digital processingtechniques to extract embedded data payloads, pattern recognitiontechniques to detect displayed patterns (e.g., QR codes), or othercommon forms of data authentication techniques employed in securetransactions.

In some instances, the detector device 140 may be capable of performingmachine recognition techniques such as, for example, optical characterrecognition, optical word recognition, intelligent characterrecognition, or other forms of pattern recognition to identify featuresof interest within a captured image of the digital identification 132.In such instances, the detector device 140 may initially receive apre-processed image of the digital identification 132, and then receivetrained pattern data indicating the features of interest from thedigital identification server 110. Using the trained pattern data, thedetector device 140 may then recognize the features within thepre-processed image of the digital identification 132 based onperforming machine recognition techniques.

In some implementations, the level two security protocols 144 mayinclude multiple layers that are detectable to the detector device 140.For instance, the layers may either include different sets of graphicalinformation, or a subset of graphical information associated with anoverall graphic associated with customer credential data. For example,the graphic information may include variable art, variable font,microprint, variable hologram overlays, or combinations of the differentgraphical information. In such implementations, the detector device 140may receive a set of instructions from the digital identification 132 toextract individual layers based on the use of visual filters to deselectlayers of interest that may include customer credential data. In otherexamples, other light manipulations techniques may be applied to one ormore of the layers to analyze the graphical information of theindicators within the digital identification 132.

In some implementations, the level two security protocols 144 mayinclude rendering customer credential data from customer informationwithin the digital identification 132. For instance, the digitalinformation may include encrypted payloads with demographic and portraitdata of the customer associated with the digital identification 132,information related to the security status of the digital identification132, or other types of encoded information. In other instances, thedigital information may include a quick response (QR) code that isprovided to the detector device, and used to retrieve customerinformation. In other instances, the rendered customer credential datamay include customer-unique audio watermarks (e.g., an audible message)or set of audio tones that may be provided to the detector device 140for verification.

The level three security protocols 146 may include encrypted customerdata pages that include secure customer information from the digitalidentification 132. For instance, customer data generated on thecustomer device 130 may be periodically transferred to the digitalidentification server 110 to update the security state and/or maintainupdated credential information associated with the customer. The digitalidentification server 110 may encrypt the customer data pages generatedon the customer device 130 using a rotating random key maintained andupdated by the digital identification server 110. The encrypted customerdata pages may additionally be provided to the detector device alongwith a decryption key 148 to enable the detector device 140 to decryptthe encrypted customer data pages and extract decrypted data payloadsthat include secure customer information.

In some implementations, the level three security protocols 146 mayinclude the use of a variable checksum associated with the encryptedcustomer data pages to verify the secure information included in theencrypted customer data pages. For instance, the variable checksum mayinclude a timestamp that is used to identify when the security status ofa particular data page was last updated by the digital identificationserver 110. The timestamp in the variable checksum may then becross-referenced against the last identified checksum within the digitalidentification database 112 to determine if the particular encrypteddata page reflects updated customer information according to the mostrecent security status designated by the digital identification server110.

FIGS. 2A-2C are interaction diagram 200A-200C, respectively, ofexemplary digital identification enrollment processes. As depicted, thediagram 200A represents interactions between the customer device 130,the digital identification server 110, the digital identificationdatabase 112, and the issuing authority server 120, as described in FIG.1A, during a digital identification enrollment process.

Referring to FIG. 2A, the enrollment process of diagram 200A mayinitially begin when the digital identification server 110 accesses thedigital identification database 112 to retrieve customer information(210). For instance, once a customer opts to enroll into the digitalidentification program (e.g., through an online signup, or submitting anapplication), a customer entry may be created in the digitalidentification database 112 based on the information provided by thecustomer. The digital identification server 110 may access the digitalidentification database 112 to extract customer information thatincludes an email address included in the customer entry.

After retrieving customer information, the digital identification server110 may send an enrollment request email to the customer device 130 andreceive customer-submitted information (212). For instance, the digitalidentification server 110 may transmit one or more emails to thecustomer device 130 including requests for customer account informationnecessary to generate the digital identification 132. For instance, theone or more emails may include, for example, a link to download thedigital identification application, or a unique access code assigned tothe customer within the customer entry. In response to selecting thelink, the customer may be directed to download the digitalidentification application on the customer device 130. In someinstances, the link may be deeplink hyperlink that directs the customerto an application store associated with the operating system of thecustomer device 130.

In implementations where the one or more emails include the link todownload the mobile application, after downloading and installing themobile application, the customer device 130 may prompt the customer toprovide customer information. For instance, the prompted customerinformation may, enter into a graphical user interface rendered by themobile application on the customer device 130, information associatedwith a physical identification card such as, for example, a digitaldriver license number, an email address, or a unique access code thatwas previously provided to the customer.

In some implementations, the digital identification server 110 may sendthe enrollment request to the customer device 130 using other types ofmessaging techniques such as, for example short message service (SMS).In such implementations, the customer information retrieved from thedigital identification database 112 may include a customer phone number,which may be used to send a SMS message to the customer device 130.Additionally or alternatively, the digital identification server 110 mayprovide notifications through the use of a mobile application installedon the customer device 130.

After receiving the customer-submitted information, the digitalidentification server 110 may verify the customer-submitted information(214). For instance, the digital identification server 130 may comparethe customer-submitted customer information to customer information thatis stored in the digital identification database 112. The digitalidentification server 130 may determine for example, that the names,birthdays, home addresses, access code, etc., match. If the receivedcustomer-submitted information matches the customer information storedin the digital identification database 112, then the digitalidentification server 110 may determine that the customer-submittedinformation has been verified. Alternatively, if the customer-submittedinformation does not match the customer information stored in thedigital identification database 112, then digital identification server110 may transmit an additional enrollment request email to the customer.

After verifying the customer-submitted information, the digitalidentification server 110 may request identification information fromthe issuing authority server 120 (216). For instance, the digitalidentification server 110 may query the issuing authority server 120 forinformation associated with a physical identification card issued by theissuing authority server 120. The identification information may includedemographic information and portrait data for the customer that includedetails related to information displayed on the physical identificationcard. In some instances where the identification information stored atthe issuing authority server 120 has recently been updated (e.g.,issuance of a new identification), after retrieving the identificationinformation from the issuing authority server 120, the digitalidentification server 110 may store the retrieved digital information onthe digital identification database 112. In some implementations, theidentification information may include biometric information, e.g.,fingerprint information, iris information, etc., for the customer orinformation to embed in a digital identification generated for thecustomer for authentication purposes.

After retrieving identification information from the issuing authorityserver 120, the digital identification server 110 may generate thedigital identification 132 for the customer and provide the digitalidentification to the customer device 130 (218). For instance, thedigital identification server 110 use the queried information from theissuing authority server 120 to generate a digital form of a physicalidentification card for the customer. In some implementations, thegenerated digital identification 132 may be a digital replica of thephysical identification card such that the digital identification 132may be used as a substitute identification. In other implementations,the generated digital identification 132 may include a portion of theidentification information such that the digital identification 132 maybe used complementarily to the physical identification card. Forexample, in such implementations, the digital identification 132 mayinclude additional information that may be relevant to the physicalidentification card.

In some implementations, after generating the digital identification132, the digital identification server 110 may include one or moresecurity features into the digital identification 132. As describedpreviously, the security features may include visual indicators that aredisplayed on the digital identification, optically scanning indicatorsthat may be detected by a verification or detector device, or a variablecredential associated with the customer. The digital identification 132may then be provided to the customer device 130 for access by thecustomer or any other authorized user.

In some implementations, after generating the digital identification132, the digital identification server 110 may additionally assign acustomer access code to the digital identification to restrict access tothe digital identification on the customer device 130. For instance, theassigned customer access code may be provided to the customer device 130as a security configuration associated with the generated digitalidentification 132 and stored in the digital identification database112.

Referring now to FIG. 2B, the enrollment process of diagram 200Binitially begins when the issuing authority server 120 transmitsidentification information and an instruction to the digitalidentification server 110 to generate a digital identification 132 forthe customer and the digital identification server 110 stores theidentification information on the digital identification database 112(220). For instance, the identification information may includeinformation related to a vetted customer record on the issuing authorityserver 120 such as a customer identifier number, e.g., a driver'slicense number, associated with the customer identification record. Thedigital identification server 110 may then create a customer entry inthe digital identification database 112 using the customeridentification information received from the issuing authority server120.

Transmission of the instruction to the digital identification server 110may cause the digital identification server 110 to transmit anenrollment request email to the customer device 130 (222). For instance,the digital identification server 110 may transmit one or more emails tothe customer device 130 including requests for customer informationnecessary to generate the digital identification 132 as describedpreviously with respect to step 212 in FIG. 2A. For example, the one ormore emails may include a link to download the digital identificationapplication, or a unique access code assigned to the customer within thecustomer entry. In response to selecting the link, the customer may bedirected to download the digital identification application on thecustomer device 130. In some instances, the link may be deeplinkhyperlink that directs the customer to an application store associatedwith the operating system of the customer device 130. The customerdevice 130 may provide the customer-submitted information similarly toas described with respect to step 212 in FIG. 2A.

After receiving the customer-submitted information, the digitalidentification server 110 may verify the customer-submitted information(224). For instance, the digital identification server 130 may comparethe customer-submitted customer information to the identificationinformation that is stored in the digital identification database 112.

After verifying the customer-submitted information, the digitalidentification server 110 may generate the digital identification 132for the customer and provide the digital identification to the customerdevice 130 (226). For instance, the digital identification server 110use the queried information from the issuing authority server 120 togenerate a digital form of a physical identification card for thecustomer as described previously with respect to step 218 in FIG. 2A.

In some implementations, the issuing authority server 120 may initiallynot provide the digital identification database 112 enough informationto generate a digital identification but enough information to send anenrollment request to the customer device 130 and verifycustomer-submitted identification. For example, the issuing authorityserver 120 may only provide the digital identification database 112 aname, e-mail, and birthday of a customer. After the customer isverified, the digital identification database 112 may then requestadditional information from the issuing authority server 120 similarlyto as previously described with respect to step 216 in FIG. 2A and thedigital identification database 112 may then receive the additionalinformation to generate the digital identification.

Referring now to FIG. 2C, the enrollment process of diagram 200B mayinitially begin when a customer transmits customer-submitted informationand a request for the digital identification 132 to the digitalidentification server 110 (230). For instance, a customer may initiallydownload a mobile application for the digital identification and requesta digital identification through the mobile application. Accordingly,the process 200C may be initiated by the customer using the customerdevice 130. The request may include customer-submitted information thatis used by the digital identification server 110 in a customerverification during the digital identification enrollment process. Insome instances, the customer-submitted information may be customeridentification information such as, for example, a facial image of thecustomer. For example, the mobile application may prompt the customer totake a photo of the customer's face using a camera in the customerdevice 130. The customer identification information may then be verifiedby the digital identification server 110 against customer informationstored on the digital identification database 112. For example, thedigital identification server 110 may use facial recognition to verifythat photo of the customer received from the customer device 130 matchesa photo for the customer stored in the digital identification database112.

Additionally or alternatively, in some implementations, the customeridentification information may include information associated with aphysical identification issued by the issuing authority. The customeridentification information may include a captured image of a physicalidentification such as a driver license, a captured image of a QR codeassociated with the physical identification, or an identifier includedin the physical identification. For example, the mobile application mayprompt the customer to take a photo of a back of the customer's driver'slicense including a barcode and a front of a customer's driver's licenseusing a camera in the customer device 130. In such implementations, theinformation associated with the physical identification may be verifiedby the digital identification 110 against customer information stored onthe issuing authority server 120 and verified for security credentials,e.g., watermarks, types of font, ghost images, etc. For example, thedigital identification server 110 may perform optical characterrecognition on the image of the front of the driver's license to extracta name, birthday, driver's license number, etc. and compare theextracted information to information for the customer from the digitalidentification database 112.

After receiving the customer submitted information and the customerrequest for the digital identification 132, the digital identificationserver 110 may access the issuing authority server 120 to verifycustomer-submitted information (232). For instance, the digitalidentification server 110 may compare the customer-submitted customerinformation to customer information for the customer received from theissuing authority server 120. For example, the digital identificationserver 130 may determine for example, that the names, birthdays, homeaddresses, etc., match.

After verifying the customer-submitted information, the digitalidentification server 110 may store the customer-submitted informationon the digital identification database 112 (234). For instance, thedigital identification server 110 may create a customer record on thedigital identification database 112 that includes the customer-submittedinformation from the customer device 130.

After storing the customer-submitted information on the digitalidentification database 112, the digital identification 110 may requestidentification information from the issuing authority server 120 (236).For instance, the digital identification server 110 may query theissuing authority server 120 for information associated with a physicalidentification card issued by the issuing authority server 120 asdescribed previously with respect to step 216 in FIG. 2A.

After retrieving identification information from the issuing authorityserver 120, the digital identification server 110 may generate thedigital identification 132 for the customer and provide the digitalidentification to the customer device 130 (238). For instance, thedigital identification server 110 may use the queried information fromthe issuing authority server 120 to generate a digital form of aphysical identification card for the customer as described previouslywith respect to step 218 in FIG. 2A.

In some implementations, the customer device 130 may provide customerinformation that includes one or more of a photo of the customer orphotos of a physical identification of the customer as described in step230 additionally or alternatively to providing customer information instep 212 in FIG. 2A and step 222 in FIG. 2B.

FIG. 3 illustrates an exemplary process 300 of digital identificationenrollment. Briefly, the process 300 may include obtaining customerinformation (310), deciding to provide a digital identification for thecustomer (320), providing an access code (330), receiving a request fordigital identification (340), determining that the access code in therequest matches the access code provided (350), providing a request forsecure information (360), generating the digital identification for thecustomer (370), and providing the digital identification (380).

In more detail, the process 300 may include obtaining customerinformation (310). For instance, the digital identification server 110may obtain, from the digital identification 112, customer informationthat describes the customer. As described previously, the customerinformation may include demographic information, historical information,or other types of information that describe the customer.

The process 300 may include deciding to provide a digital identificationfor the customer (320). For instance, the digital identification server110 may determine to provide the digital identification 132 to thecustomer device 130 associated with the customer. As describedpreviously, this determination may be the result of a customer opting toenroll into a digital identification program based on an onlinesubmission, or an enrollment form.

The process 300 may include providing an access code (330). Forinstance, in response to deciding to provide the digital identification132 to the customer device 130 associated with the customer, the digitalidentification server 110 may provide an access code for activation tothe customer device 130. Alternatively, in some instances, the digitalidentification server 110 may provide the access code for activation tothe customer device 130 in response to obtaining the customerinformation from the digital identification database 112.

The process 300 may include receiving a request for digitalidentification (340). For instance, digital identification server 110may receive a request from the customer device 130 for the digitalidentification, where the request includes a customer-submitted accesscode that describes the user.

The process 300 may include determining that the access code in therequest matches the access code provided (350). For instance, thedigital identification server 110 may determine that thecustomer-submitted access code in the received request matches theaccess code for activation provided to the customer device 130.

The process 300 may include providing a request for secure information(360). For instance, the digital identification server 110 may provide arequest, for secure information that describes the customer, to a secureinformation database on the issuing authority server 120.

The process 300 may include generating the digital identification forthe customer (370). For instance, the digital identification server maygenerate the digital identification 132 for the customer based on thesecure information from the issuing authority server 120 and thecustomer information.

The process 300 may include and providing the digital identification(380). The digital identification server 110 may provide the generateddigital identification 132 to the customer device 130.

As described throughout, computer programs (also known as programs,software, software applications or code) include machine instructionsfor a programmable processor, and can be implemented in a high-levelprocedural and/or object-oriented programming language, and/or inassembly/machine language. As used herein, the terms “machine-readablemedium” “computer-readable medium” refers to any computer programproduct, apparatus and/or device (e.g., magnetic discs, optical disks,memory, Programmable Logic Devices (PLDs)) used to provide machineinstructions and/or data to a programmable processor, including amachine-readable medium that receives machine instructions as amachine-readable signal. The term “machine-readable signal” refers toany signal used to provide machine instructions and/or data to aprogrammable processor.

Suitable processors for the execution of a program of instructionsinclude, by way of example, both general and special purposemicroprocessors, and the sole processor or one of multiple processors ofany kind of computer. Generally, a processor will receive instructionsand data from a read-only memory or a random access memory or both. Theelements of a computer may include a processor for executinginstructions and one or more memories for storing instructions and data.Generally, a computer will also include, or be operatively coupled tocommunicate with, one or more mass storage devices for storing datafiles, such devices include magnetic disks, such as internal hard disksand removable disks, magneto-optical disks, and optical disks. Storagedevices suitable for tangibly embodying computer program instructionsand data include all forms of non-volatile memory, including by way ofexample semiconductor memory devices, such as EPROM, EEPROM, and flashmemory devices, magnetic disks such as internal hard disks and removabledisks, magneto-optical disks, and CD-ROM and DVD-ROM disks. Theprocessor and the memory can be supplemented by, or incorporated in,ASICs (application-specific integrated circuits).

To provide for interaction with a user, the systems and techniquesdescribed here can be implemented on a computer having a display device(e.g., a CRT (cathode ray tube), LCD (liquid crystal display) monitor,LED (light-emitting diode) or OLED (organic light-emitting diode)monitors) for displaying information to the user and a keyboard and apointing device (e.g., a mouse or a trackball) by which the user canprovide input to the computer. Other kinds of devices can be used toprovide for interaction with a user as well, for example, feedbackprovided to the user can be any form of sensory feedback (e.g., visualfeedback, auditory feedback, or tactile feedback), and input from theuser can be received in any form, including acoustic, speech, or tactileinput.

The systems and techniques described here can be implemented in acomputing system that includes a back end component (e.g., as a dataserver), or that includes a middleware component (e.g., an applicationserver), or that includes a front end component (e.g., a client computerhaving a graphical user interface or a Web browser through which a usercan interact with an implementation of the systems and techniquesdescribed here), or any combination of such back end, middleware, orfront end components. The components of the system can be interconnectedby any form or medium of digital data communication (e.g., acommunication network). Examples of communication networks include alocal area network (“LAN”), a wide area network (“WAN”), and theInternet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

A number of implementations have been described. Nevertheless, it willbe understood that various modifications may be made without departingfrom the spirit and scope of the invention. For example, much of thisdocument has been described with respect to messaging and mappingapplications, but other forms of graphical applications may also beaddressed, such as interactive program guides, web page navigation andzooming, and other such applications.

In addition, the logic flows depicted in the figures do not require theparticular order shown, or sequential order, to achieve desirableresults. In addition, other steps may be provided, or steps may beeliminated, from the described flows, and other components may be addedto, or removed from, the described systems. Accordingly, otherembodiments are within the scope of the following claims.

What is claimed is:
 1. A computer-implemented method comprising:obtaining, from a digital identification database, customer informationthat describes a customer; providing to the customer device an accesscode for activation; receiving a request from the customer device for adigital identification that includes the access code and customerinformation describing the customer; determining that the access code inthe received request matches the access code for activation provided tothe customer device and that the customer information from the customerdevice matches the customer information that describes the customerobtained from the digital identification database; in response todetermining that the access code in the received request matches theaccess code for activation provided to the customer device and that thecustomer information entered by the customer matches the customerinformation that describes the customer obtained from the digitalidentification database, providing a request for secure information thatdescribes the customer from a secure information database; receiving thesecure information that describes the customer stored in the secureinformation database; generating the digital identification for thecustomer based on the secure information and the customer information;and providing the digital identification to the customer device.
 2. Themethod of claim 1, wherein the secure information that describes thecustomer stored in the secure information database comprises demographicinformation associated with the customer and a portrait image of thecustomer.
 3. The method of claim 1, wherein providing to the customerdevice the access code for activation comprises providing a deeplinkthat directs the customer to install a digital identificationapplication on the customer device.
 4. The method of claim 1, whereinreceiving the request from the customer device for the digitalidentification comprises: receiving one or more images of a physicalidentification from the customer device; and identifying, based on usingan optical character recognition technique on the one or more images ofthe physical identification, customer information that describes thecustomer.
 5. The method of claim 4, wherein generating the digitalidentification for the customer comprises: determining that theidentified customer information that describes the customer from the oneor more images of the physical identification matches the secureinformation that describes the customer stored in the secure informationdatabases; and in response, generating the digital identification forthe customer.
 6. The method of claim 1, wherein providing the digitalidentification to the customer device comprises providing an accesscredential associated with the digital identification.
 7. The method ofclaim 1, comprising: deciding to provide a customer device associatedwith the customer a digital identification for the customer, whereinproviding to the customer device the access code for activation is inresponse to deciding to provide the customer device associated with thecustomer the digital identification for the customer.
 8. A systemcomprising: one or more computers; and a non-transitorycomputer-readable medium coupled to the one or more computers havinginstructions stored thereon, which, when executed by the one or morecomputers, cause the one or more computers to perform operationscomprising: obtaining, from a digital identification database, customerinformation that describes a customer; providing to the customer devicean access code for activation; receiving a request from the customerdevice for a digital identification that includes the access code andcustomer information describing the customer; determining that theaccess code in the received request matches the access code foractivation provided to the customer device and that the customerinformation from the customer device matches the customer informationthat describes the customer obtained from the digital identificationdatabase; in response to determining that the access code in thereceived request matches the access code for activation provided to thecustomer device and that the customer information entered by thecustomer matches the customer information that describes the customerobtained from the digital identification database, providing a requestfor secure information that describes the customer from a secureinformation database; receiving the secure information that describesthe customer stored in the secure information database; generating thedigital identification for the customer based on the secure informationand the customer information; and providing the digital identificationto the customer device.
 9. The system of claim 8, wherein the secureinformation that describes the customer stored in the secure informationdatabase comprises demographic information associated with the customerand a portrait image of the customer.
 10. The system of claim 8, whereinproviding to the customer device the access code for activationcomprises providing a deeplink that directs the customer to install adigital identification application on the customer device.
 11. Thesystem of claim 8, wherein receiving the request from the customerdevice for the digital identification comprises: receiving one or moreimages of a physical identification from the customer device; andidentifying, based on using an optical character recognition techniqueon the one or more images of the physical identification, customerinformation that describes the customer.
 12. The system of claim 11,wherein generating the digital identification for the customercomprises: determining that the identified customer information thatdescribes the customer from the one or more images of the physicalidentification matches the secure information that describes thecustomer stored in the secure information databases; and in response,generating the digital identification for the customer.
 13. The systemof claim 8, wherein providing the digital identification to the customerdevice comprises providing an access credential associated with thedigital identification.
 14. The system of claim 8, comprising: decidingto provide a customer device associated with the customer a digitalidentification for the customer, wherein providing to the customerdevice the access code for activation is in response to deciding toprovide the customer device associated with the customer the digitalidentification for the customer.
 15. A non-transitory computer storagedevice encoded with a computer program, the program comprisinginstructions that when executed by one or more computers cause the oneor more computers to perform operations comprising: obtaining, from adigital identification database, customer information that describes acustomer; providing to the customer device an access code foractivation; receiving a request from the customer device for a digitalidentification that includes the access code and customer informationdescribing the customer; determining that the access code in thereceived request matches the access code for activation provided to thecustomer device and that the customer information from the customerdevice matches the customer information that describes the customerobtained from the digital identification database; in response todetermining that the access code in the received request matches theaccess code for activation provided to the customer device and that thecustomer information entered by the customer matches the customerinformation that describes the customer obtained from the digitalidentification database, providing a request for secure information thatdescribes the customer from a secure information database; receiving thesecure information that describes the customer stored in the secureinformation database; generating the digital identification for thecustomer based on the secure information and the customer information;and providing the digital identification to the customer device.
 16. Thedevice of claim 15, wherein the secure information that describes thecustomer stored in the secure information database comprises demographicinformation associated with the customer and a portrait image of thecustomer.
 17. The device of claim 15, wherein providing to the customerdevice the access code for activation comprises providing a deeplinkthat directs the customer to install a digital identificationapplication on the customer device.
 18. The device of claim 15, whereinreceiving the request from the customer device for the digitalidentification comprises: receiving one or more images of a physicalidentification from the customer device; and identifying, based on usingan optical character recognition technique on the one or more images ofthe physical identification, customer information that describes thecustomer.
 19. The device of claim 18, wherein generating the digitalidentification for the customer comprises: determining that theidentified customer information that describes the customer from the oneor more images of the physical identification matches the secureinformation that describes the customer stored in the secure informationdatabases; and in response, generating the digital identification forthe customer.
 20. The device of claim 15, wherein providing the digitalidentification to the customer device comprises providing an accesscredential associated with the digital identification.